Share your knowledge with the Learning Community

Search the Community

You can apply modifiers to the terms you enter in the search field.Use quotes to search for an "exact phrase". Use the plus sign to search for +one +or +more +words. Use the minus sign to -exclude -certain -words from your search.

...the same network. Hence communication between Airwave and devices in 172.17.0.0/16 subnet might fail.
Solution: To fix this we can disable or delete the docker0 interface. However instead of...

Requirement:

With Airwave 8.2.3 release we have a new feature with respect to the interfaces. Docker0 interface has been introduced and used for the purpose of bridging in virtualization concept. One might face issues in their network since the "docker0" interface will pick an IP address from within the specified pool (172.17.0.0/16) which might match some other device in the same network. Hence communication between Airwave and devices in 172.17.0.0/16 subnet might fail.

Solution:

To fix this we can disable or delete the docker0 interface. However instead of permanently disabling it we can change the IP address to a loopback IP address or any other non-routable IP. This would ensure that current network devices are not impacted and you can still use the docker interface if needed.

Configuration:

We can run the following commands from support shell of airwave:

Stop the service

service docker stop

Bring the interface down

ip link set dev docker0 down

Delete the interface

brctl delbr docker0

Modify the configuration to use the new IP address

vi /etc/sysconfig/docker

add: --bip=x.x.x.x/xx to the other_args=”” line so it looks like this now:
other_args="--bip=10.1.1.1/24"

Start the service

service docker start

ifconfig to confirm docker0 has been changed.

We can also choose to delete this interface based on requirement:

[root@localhost mercury]# sudo ip link delete docker0 type bridge

[root@localhost mercury]# service network restart

Verification

Example output:

Note: In case you decide to delete the interface then the docker0 would not show up in the output for ifconfig -a

Summary

The remote AP (RAP) white list is the method where a controller could manage which RAP is allowed to terminate on the controller, which AP group it assigned to and etc. The RAP wired MAC address is needed in order for the certificate based RAP to establish the IPSEC tunnel successfully with the controller.

There are various ways the RAP white list could be managed. When you provision the RAP through the controller web interface, the wired MAC address will be added into the white list table automatically. However, when you're provisioning the RAP using the Aruba Instant Convert option, you will need to enter it manually into the controller. Alternatively, if the entries are available in the Activate server, you can configure the controller to pull the entries in to the controller.

This solution will allow user to enter a list of comma separated RAP wired MAC addresses and the system will generate the configuration codes where you can apply them into your controller. The three operation supported are add, delete and revoked. Note that the white list command is introduced since AOS 6.3 release, and prior AOS versions are using the local-userdb command.

...host. The host can be a controlleror a non-Aruba host.
To initiate a telnet session from the controller to a remote host:
1. Initiate an SSH session to the controller.
2. In the enable mode...

Q:

How to Remote Telnet or SSH Session from the Controller

A:

Starting from ArubaOS 6.5, an administrator can initiate a remote telnet or SSH session from the controller to a remote host. The host can be a controlleror a non-Aruba host.

To initiate a telnet session from the controller to a remote host:
1. Initiate an SSH session to the controller.
2. In the enable mode, execute the telnet <user> <remote-host> [<port-num>] command. user: User name of the remote host. remote-host: IPv4 or IPv6 address of the remote host.port-num: Telnet port number of the remote host. This is an optional parameter.
3. Once successfully connected, the remote host prompts the credentials. Enter the remote host credentials.

To initiate an SSH session from the controller to a remote host:
1. Initiate an SSH session to the controller.
2. In the enable mode, execute the ssh <user-at-host> command.user-at-host: Username and IPv4 or IPv6 address of the remote host in the user@host format.
Once successfully connected, the remote host prompts the credentials.

This feature is supported from the SSH session of the controller only.

There is an inactivity timeout for the CLI sessions. When an administrator initiates a remote session (inner) from the controller’s SSH session (outer), and the remote session takes more time than the inactivity timeout session, the outer session times out although the inner session is active. The administrator has to log back in to the outer session once logged off from the inner session.

Designated telnet client control keys do not work for remote telnet sessions. When an administrator initiates a remote telnet session (inner) from the controller’s SSH session (outer), the designated telnet client control keys functions for the outer SSH session only. The administrator should designate unique control keys for each remote telnet sessions.

Q: How do I quickly search a specific Instant AP orMobilityAccessSwitch on Aruba Central?
A: Central provides a standard web-based interface that allows you to configure and monitor...

Q:

How do I quickly search a specific Instant AP orMobilityAccessSwitch on Aruba Central?

A:

Central provides a standard web-based interface that allows you to configure and monitor Instant Access Points (IAPs) and MobilityAccess Switches. Integrated in this web interface is a Search tex box, which can be used by an administrator to search for an IAP, MobilityAccessSwitch, client, notification event, network or labels.

When you type a search string, the search function suggests matching keywords and allows you to automatically complete the search string entry. This option proves very handy when a user is not aware in which ap group, a client or IAP is part of.

Lync ALG is an implementation of a full-fledged ALG for Microsoft Lync software. Microsoft Lync provides enterprise users with the ability to make voice and video calls to each other and also enables applications like ‘Desktop Sharing’ and ‘File Transfer’. The proposed ALG for Lync will allow Aruba to provide value-added services like QoS, Call Admission Control, Call Quality metrics and Prioritization for the various Lync applications. This solution also provides a dedicated visibility and debugging framework to fine-tune and troubleshoot Lync traffic flow on Aruba networks.

Once the applications get invoked, the Lync server shares the session-related information with the Lync Plugin, which, in turn, passes on this information to the controller through HTTP/ HTTPS based XML communication.

The role "logon" is a specialized user role with default settings where the user is placed before any L3 authentication had taken place. The reason we have this lifetime is mainly for public facing SSID where you have lot of trespassers that just attempted to connect but not performing any authentication. This kind of client connections does not consuming any network resources, but consumption of "user license" on the controller. Hence the idea was to remove such clients not doing anything, but just staying idle in "logon" role for a certain amount of time. Therefore any clients in authenticated role are not subjected to logon user lifetime.

...access control list policy. You can set a range of VLANs as trusted or untrusted on a trunk port. Following table lists the various port/VLAN combination to determine if the user traffic is...

This article explains

Need for a port or VLAN to be configured trusted or untrusted

Configuring a port or VLAN to be trusted or untrusted

Trust/untrusted combination between port and VLAN to determine if traffic is trusted or untrusted.

You can classify wired traffic based not only on the incoming physical port but also on the VLAN associated with the port carrying traffic. For eg, say the user is connected on VLAN 10 and needs to pass traffic through wired port 1/0. If VLAN 10 on that wired port is marked as untrusted then any traffic on VLAN 10 through that port is marked as untrusted.

When you define a physical port or a VLAN associated to that port as untrusted, traffic passing through that port needs to go through a predefined accesscontrol list policy. You can set a range of VLANs as trusted or untrusted on a trunk port.

Following table lists the various port/VLAN combination to determine if the user traffic is trusted or untrusted:

Port

VLAN

Traffic Status

Trusted

Trusted

Trusted

Untrusted

Untrusted

Untrusted

Untrusted

Trusted

Untrusted

Trusted

Untrusted

Untrusted

Environment : This article applies to all controller models and OS versions.

The following outputs are taken from Aruba 7210 controller running 6.3.0.1

Using WebUI:

Navigate toConfiguration> Ports

Enable the “Make Port Trusted” checkbox

Enter the VLANs to be allowed on the port and mark them trusted or untrusted.

If the "trusted" checkbox is enabled, only the entered VLANs will be marked trusted. Rest of the VLANs will automatically be categorized asuntrusted.

This article explains the use of “netdestination” or “alias” and steps to configure it on the Arubacontroller
“Alias” or “Netdestination” is created as an alias to a specific host...

This article explains the use of “netdestination” or “alias” and steps to configure it on the Arubacontroller

“Alias” or “Netdestination” is created as an alias to a specific host, network or to club together a set of hosts/networks. While using this option, you need to configure the IP address of the host/network.

This can be useful if we need to allow/disallow a specific set of hosts/network then we need not permit or deny each host/network separately. We can instead create a netdestination containing those hosts/networks and allow or disallow access.

Environment : This article applies to all the controller models and AOS versions.